diff options
Diffstat (limited to 'secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3')
| -rw-r--r-- | secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 | 277 |
1 files changed, 142 insertions, 135 deletions
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 index 12390c84f1cf..4d58ece2eae9 100644 --- a/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 +++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 @@ -1,4 +1,5 @@ -.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42) +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -15,29 +16,12 @@ .ft R .fi .. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. .ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' . ds C` . ds C' 'br\} @@ -68,75 +52,15 @@ . \} .\} .rr rF -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "OSSL_CMP_EXEC_CERTREQ 3ossl" -.TH OSSL_CMP_EXEC_CERTREQ 3ossl "2023-09-19" "3.0.11" "OpenSSL" +.TH OSSL_CMP_EXEC_CERTREQ 3ossl 2025-07-01 3.5.1 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh -.SH "NAME" +.SH NAME OSSL_CMP_exec_certreq, OSSL_CMP_exec_IR_ses, OSSL_CMP_exec_CR_ses, @@ -148,9 +72,13 @@ OSSL_CMP_P10CR, OSSL_CMP_KUR, OSSL_CMP_try_certreq, OSSL_CMP_exec_RR_ses, -OSSL_CMP_exec_GENM_ses +OSSL_CMP_exec_GENM_ses, +OSSL_CMP_get1_caCerts, +OSSL_CMP_get1_rootCaKeyUpdate, +OSSL_CMP_get1_crlUpdate, +OSSL_CMP_get1_certReqTemplate \&\- functions implementing CMP client transactions -.SH "SYNOPSIS" +.SH SYNOPSIS .IX Header "SYNOPSIS" .Vb 1 \& #include <openssl/cmp.h> @@ -168,30 +96,41 @@ OSSL_CMP_exec_GENM_ses \& int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, \& const OSSL_CRMF_MSG *crm, int *checkAfter); \& int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx); +\& \& STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx); +\& int OSSL_CMP_get1_caCerts(OSSL_CMP_CTX *ctx, STACK_OF(X509) **out); +\& int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx, +\& const X509 *oldWithOld, X509 **newWithNew, +\& X509 **newWithOld, X509 **oldWithNew); +\& int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509 *crlcert, +\& const X509_CRL *last_crl, +\& X509_CRL **crl); +\& int OSSL_CMP_get1_certReqTemplate(OSSL_CMP_CTX *ctx, +\& OSSL_CRMF_CERTTEMPLATE **certTemplate, +\& OSSL_CMP_ATAVS **keySpec); +\&=head1 DESCRIPTION .Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This is the OpenSSL \s-1API\s0 for doing \s-1CMP\s0 (Certificate Management Protocol) -client-server transactions, i.e., sequences of \s-1CMP\s0 requests and responses. .PP -All functions take a populated \s-1OSSL_CMP_CTX\s0 structure as their first argument. -Usually the server name, port, and path (\*(L"\s-1CMP\s0 alias\*(R") need to be set, as well as +This is the OpenSSL API for doing CMP (Certificate Management Protocol) +client-server transactions, i.e., sequences of CMP requests and responses. +.PP +All functions take a populated OSSL_CMP_CTX structure as their first argument. +Usually the server name, port, and path ("CMP alias") need to be set, as well as credentials the client can use for authenticating itself to the server. In order to authenticate the server the client typically needs a trust store. The functions return their respective main results directly, while there are also accessor functions for retrieving various results and status information from the \fIctx\fR. See \fBOSSL_CMP_CTX_new\fR\|(3) etc. for details. .PP -The default conveying protocol is \s-1HTTP.\s0 +The default conveying protocol is HTTP. Timeout values may be given per request-response pair and per transaction. See \fBOSSL_CMP_MSG_http_perform\fR\|(3) for details. .PP -\&\fBOSSL_CMP_exec_IR_ses()\fR requests an initial certificate from the given \s-1PKI.\s0 +\&\fBOSSL_CMP_exec_IR_ses()\fR requests an initial certificate from the given PKI. .PP \&\fBOSSL_CMP_exec_CR_ses()\fR requests an additional certificate. .PP -\&\fBOSSL_CMP_exec_P10CR_ses()\fR conveys a legacy PKCS#10 \s-1CSR\s0 requesting a certificate. +\&\fBOSSL_CMP_exec_P10CR_ses()\fR conveys a legacy PKCS#10 CSR requesting a certificate. .PP \&\fBOSSL_CMP_exec_KUR_ses()\fR obtains an updated certificate. .PP @@ -199,15 +138,15 @@ These four types of certificate enrollment are implemented as macros calling \fBOSSL_CMP_exec_certreq()\fR. .PP \&\fBOSSL_CMP_exec_certreq()\fR performs a certificate request of the type specified -by the \fIreq_type\fR parameter, which may be \s-1IR, CR, P10CR,\s0 or \s-1KUR.\s0 -For \s-1IR, CR,\s0 and \s-1KUR,\s0 the certificate template to be used in the request -may be supplied via the \fIcrm\fR parameter pointing to a \s-1CRMF\s0 structure. -Typically \fIcrm\fR is \s-1NULL,\s0 then the template ingredients are taken from \fIctx\fR +by the \fIreq_type\fR parameter, which may be IR, CR, P10CR, or KUR. +For IR, CR, and KUR, the certificate template to be used in the request +may be supplied via the \fIcrm\fR parameter pointing to a CRMF structure. +Typically \fIcrm\fR is NULL, then the template ingredients are taken from \fIctx\fR and need to be filled in using \fBOSSL_CMP_CTX_set1_subjectName\fR\|(3), \&\fBOSSL_CMP_CTX_set0_newPkey\fR\|(3), \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3), etc. For P10CR, \fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3) needs to be used instead. -The enrollment session may be blocked by sleeping until the addressed -\&\s-1CA\s0 (or an intermediate \s-1PKI\s0 component) can fully process and answer the request. +The enrollment session may be blocked (with polling and sleeping in between) +until the server side can fully process and ultimately answer the request. .PP \&\fBOSSL_CMP_try_certreq()\fR is an alternative to the above functions that is more flexible regarding what to do after receiving a checkAfter value. @@ -220,9 +159,9 @@ unless the \fIreq_type\fR argument is < 0, which aborts the request. If the requested certificate is available the function returns 1 and the caller can use \fBOSSL_CMP_CTX_get0_newCert\fR\|(3) to retrieve the new certificate. If no error occurred but no certificate is available yet then -\&\fBOSSL_CMP_try_certreq()\fR remembers in the \s-1CMP\s0 context that it should be retried +\&\fBOSSL_CMP_try_certreq()\fR remembers in the CMP context that it should be retried and returns \-1 after assigning the received checkAfter value -via the output pointer argument (unless it is \s-1NULL\s0). +via the output pointer argument (unless it is NULL). The checkAfter value indicates the number of seconds the caller should let pass before trying again. The caller is free to sleep for the given number of seconds or for some other time and/or to do anything else before retrying by calling @@ -231,43 +170,99 @@ or for some other time and/or to do anything else before retrying by calling to see whether meanwhile the requested certificate is available. If the caller decides to abort the pending certificate request and provides a negative value as the \fIreq_type\fR argument then \fBOSSL_CMP_try_certreq()\fR -aborts the \s-1CMP\s0 transaction by sending an error message to the server. +aborts the CMP transaction by sending an error message to the server. .PP \&\fBOSSL_CMP_exec_RR_ses()\fR requests the revocation of the certificate -specified in the \fIctx\fR using \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3). -\&\s-1RFC 4210\s0 is vague in which PKIStatus should be returned by the server. -We take \*(L"accepted\*(R" and \*(L"grantedWithMods\*(R" as clear success and handle -\&\*(L"revocationWarning\*(R" and \*(L"revocationNotification\*(R" just as warnings because CAs +specified in the \fIctx\fR using the issuer DN and serial number set by +\&\fBOSSL_CMP_CTX_set1_issuer\fR\|(3) and \fBOSSL_CMP_CTX_set1_serialNumber\fR\|(3), respectively, +otherwise the issuer DN and serial number +of the certificate set by \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3), +otherwise the subject DN and public key +of the certificate signing request set by \fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3). +RFC 4210 is vague in which PKIStatus should be returned by the server. +We take "accepted" and "grantedWithMods" as clear success and handle +"revocationWarning" and "revocationNotification" just as warnings because CAs typically return them as an indication that the certificate was already revoked. -\&\*(L"rejection\*(R" is a clear error. The values \*(L"waiting\*(R" and \*(L"keyUpdateWarning\*(R" +"rejection" is a clear error. The values "waiting" and "keyUpdateWarning" make no sense for revocation and thus are treated as an error as well. +The revocation session may be blocked (with polling and sleeping in between) +until the server can fully process and ultimately answer the request. .PP -\&\fBOSSL_CMP_exec_GENM_ses()\fR sends a general message containing the sequence of -infoType and infoValue pairs (InfoTypeAndValue; short: \fB\s-1ITAV\s0\fR) +\&\fBOSSL_CMP_exec_GENM_ses()\fR sends a genm general message containing the sequence of +infoType and infoValue pairs (InfoTypeAndValue; short: \fBITAV\fR) optionally provided in the \fIctx\fR using \fBOSSL_CMP_CTX_push0_genm_ITAV\fR\|(3). -On success it records in \fIctx\fR the status \fBOSSL_CMP_PKISTATUS_accepted\fR -and returns the list of \fB\s-1ITAV\s0\fRs received in the \s-1GENP\s0 message. -This can be used, for instance, to poll for CRLs or \s-1CA\s0 Key Updates. -See \s-1RFC 4210\s0 section 5.3.19 and appendix E.5 for details. -.SH "NOTES" +The message exchange may be blocked (with polling and sleeping in between) +until the server can fully process and ultimately answer the request. +On success the function records in \fIctx\fR status \fBOSSL_CMP_PKISTATUS_accepted\fR +and returns the list of \fBITAV\fRs received in a genp response message. +This can be used, for instance, +with infoType \f(CW\*(C`signKeyPairTypes\*(C'\fR to obtain the set of signature +algorithm identifiers that the CA will certify for subject public keys. +See RFC 4210 section 5.3.19 and appendix E.5 for details. +Functions implementing more specific genm/genp exchanges are described next. +.PP +\&\fBOSSL_CMP_get1_caCerts()\fR uses a genm/genp message exchange with infoType caCerts +to obtain a list of CA certificates from the CMP server referenced by \fIctx\fR. +On success it assigns to \fI*out\fR the list of certificates received, +which must be freed by the caller. +NULL output means that no CA certificates were provided by the server. +.PP +\&\fBOSSL_CMP_get1_rootCaKeyUpdate()\fR uses a genm request message +with infoType rootCaCert to obtain from the CMP server referenced by \fIctx\fR +in a genp response message with infoType rootCaKeyUpdate any update of the +given root CA certificate \fIoldWithOld\fR and verifies it as far as possible. +See RFC 4210 section 4.4 for details. +On success it assigns to \fI*newWithNew\fR the root certificate received. +When the \fInewWithOld\fR and \fIoldWithNew\fR output parameters are not NULL, +it assigns to them the corresponding transition certificates. +NULL means that the respective certificate was not provided by the server. +All certificates obtained this way must be freed by the caller. +.PP +\&\fBWARNING:\fR +The \fInewWithNew\fR certificate is meant to be a certificate that will be trusted. +The trust placed in it cannot be stronger than the trust placed in +the \fIoldwithold\fR certificate if present, otherwise it cannot be stronger than +the weakest trust in any of the certificates in the trust store of \fIctx\fR. +.PP +\&\fBOSSL_CMP_get1_crlUpdate()\fR uses a genm request message with infoType crlStatusList +to obtain CRL from the CMP server referenced by \fIctx\fR in a genp response message +with infoType crls. It uses \fIlast_crl\fR and \fIcrlcert\fR to create +a request with a status field as described for \fBOSSL_CMP_CRLSTATUS_create\fR\|(3). +On success it assigns to \fI*crl\fR the CRL received. +NULL means that no CRL was provided by the server. +The CRL obtained this way must be freed by the caller. +.PP +\&\fBOSSL_CMP_get1_certReqTemplate()\fR uses a genm request message with +infoType certReqTemplate to obtain a certificate request template from the +CMP server referenced by \fIctx\fR. On success it assigns to \fI*certTemplate\fR +the certificate template received. NULL output means that no certificate +request template was provided by the server. +The optional \fIkeySpec\fR output parameter is assigned the key specification +if received, otherwise it set to NULL. +Both must be freed by the caller. +.SH NOTES .IX Header "NOTES" -\&\s-1CMP\s0 is defined in \s-1RFC 4210\s0 (and \s-1CRMF\s0 in \s-1RFC 4211\s0). +CMP is defined in RFC 4210 (and CRMF in RFC 4211). .PP -The \s-1CMP\s0 client implementation is limited to one request per \s-1CMP\s0 message -(and consequently to at most one response component per \s-1CMP\s0 message). +The CMP client implementation is limited to one request per CMP message +(and consequently to at most one response component per CMP message). .PP -When a client obtains from a \s-1CMP\s0 server \s-1CA\s0 certificates that it is going to -trust, for instance via the caPubs field of a certificate response, -authentication of the \s-1CMP\s0 server is particularly critical. +When a client obtains from a CMP server CA certificates that it is going to +trust, for instance via the caPubs field of a certificate response or using +functions like \fBOSSL_CMP_get1_caCerts()\fR and \fBOSSL_CMP_get1_rootCaKeyUpdate()\fR, +authentication of the CMP server is particularly critical. So special care must be taken setting up server authentication in \fIctx\fR using functions such as -\&\fBOSSL_CMP_CTX_set0_trustedStore\fR\|(3) (for certificate-based authentication) or +\&\fBOSSL_CMP_CTX_set0_trusted\fR\|(3) (for certificate-based authentication) or \&\fBOSSL_CMP_CTX_set1_secretValue\fR\|(3) (for MAC-based protection). +If authentication is certificate-based, \fBOSSL_CMP_CTX_get0_validatedSrvCert\fR\|(3) +should be used to obtain the server validated certificate +and perform an authorization check based on it. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fBOSSL_CMP_exec_certreq()\fR, \fBOSSL_CMP_exec_IR_ses()\fR, \fBOSSL_CMP_exec_CR_ses()\fR, \&\fBOSSL_CMP_exec_P10CR_ses()\fR, and \fBOSSL_CMP_exec_KUR_ses()\fR return a -pointer to the newly obtained X509 certificate on success, \s-1NULL\s0 on error. +pointer to the newly obtained X509 certificate on success, NULL on error. This pointer will be freed implicitly by \fBOSSL_CMP_CTX_free()\fR or \&\fBCSSL_CMP_CTX_reinit()\fR. .PP @@ -275,18 +270,21 @@ This pointer will be freed implicitly by \fBOSSL_CMP_CTX_free()\fR or via \fBOSSL_CMP_CTX_get0_newCert\fR\|(3) or on successfully aborting a pending certificate request, 0 on error, and \-1 in case a 'waiting' status has been received and checkAfter value is available. -In the latter case \fBOSSL_CMP_CTX_get0_newCert\fR\|(3) yields \s-1NULL\s0 +In the latter case \fBOSSL_CMP_CTX_get0_newCert\fR\|(3) yields NULL and the output parameter \fIcheckAfter\fR has been used to -assign the received value unless \fIcheckAfter\fR is \s-1NULL.\s0 +assign the received value unless \fIcheckAfter\fR is NULL. .PP -\&\fBOSSL_CMP_exec_RR_ses()\fR returns 1 on success, 0 on error. +\&\fBOSSL_CMP_exec_RR_ses()\fR, \fBOSSL_CMP_get1_caCerts()\fR, +\&\fBOSSL_CMP_get1_rootCaKeyUpdate()\fR, \fBOSSL_CMP_get1_crlUpdate()\fR +and \fBOSSL_CMP_get1_certReqTemplate()\fR +return 1 on success, 0 on error. .PP -\&\fBOSSL_CMP_exec_GENM_ses()\fR returns \s-1NULL\s0 on error, -otherwise a pointer to the sequence of \fB\s-1ITAV\s0\fR received, which may be empty. +\&\fBOSSL_CMP_exec_GENM_ses()\fR returns NULL on error, +otherwise a pointer to the sequence of \fBITAV\fR received, which may be empty. This pointer must be freed by the caller. -.SH "EXAMPLES" +.SH EXAMPLES .IX Header "EXAMPLES" -See \s-1OSSL_CMP_CTX\s0 for examples on how to prepare the context for these +See OSSL_CMP_CTX for examples on how to prepare the context for these functions. .SH "SEE ALSO" .IX Header "SEE ALSO" @@ -294,15 +292,24 @@ functions. \&\fBOSSL_CMP_CTX_set1_subjectName\fR\|(3), \fBOSSL_CMP_CTX_set0_newPkey\fR\|(3), \&\fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3), \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3), \&\fBOSSL_CMP_CTX_get0_newCert\fR\|(3), \fBOSSL_CMP_CTX_push0_genm_ITAV\fR\|(3), -\&\fBOSSL_CMP_MSG_http_perform\fR\|(3) -.SH "HISTORY" +\&\fBOSSL_CMP_MSG_http_perform\fR\|(3), \fBOSSL_CMP_CRLSTATUS_create\fR\|(3) +.SH HISTORY .IX Header "HISTORY" -The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0. -.SH "COPYRIGHT" +The OpenSSL CMP support was added in OpenSSL 3.0. +.PP +\&\fBOSSL_CMP_get1_caCerts()\fR and \fBOSSL_CMP_get1_rootCaKeyUpdate()\fR +were added in OpenSSL 3.2. +.PP +Support for delayed delivery of all types of response messages +was added in OpenSSL 3.3. +.PP +\&\fBOSSL_CMP_get1_crlUpdate()\fR and \fBOSSL_CMP_get1_certReqTemplate()\fR +were added in OpenSSL 3.4. +.SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2007\-2023 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007\-2024 The OpenSSL Project Authors. All Rights Reserved. .PP -Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use +Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy -in the file \s-1LICENSE\s0 in the source distribution or at +in the file LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>. |